UCF STIG Viewer Logo

Adobe ColdFusion 11 Security Technical Implementation Guide


Overview

Date Finding Count (100)
2017-12-31 CAT I (High): 12 CAT II (Med): 83 CAT III (Low): 5
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-62413 High ColdFusion must have Remote Development Services (RDS) disabled.
V-62487 High ColdFusion must limit the SQL commands available.
V-62407 High ColdFusion must disable Flash Remoting support.
V-62365 High ColdFusion must require a username and password for access by each authorized user access.
V-62519 High ColdFusion must prevent JavaScript Object Notation (JSON) hijacking of data.
V-62527 High ColdFusion must have Robust Exception Information disabled.
V-62351 High ColdFusion must implement cryptography mechanisms to protect the integrity of the remote access session.
V-62529 High ColdFusion must have AJAX Debug Log Window disabled.
V-62445 High ColdFusion must contain the most recent update.
V-62533 High ColdFusion must have Allow Line Debugging disabled.
V-62531 High ColdFusion must have Request Debugging Output disabled.
V-62423 High ColdFusion must have Remote Inspection disabled.
V-62499 Medium ColdFusion must set a timeout for requests.
V-62495 Medium ColdFusion must limit the maximum number of simultaneous Report threads.
V-62497 Medium ColdFusion must limit the maximum number of threads available for CFTHREAD.
V-62491 Medium ColdFusion must limit the maximum number of Web Service requests.
V-62493 Medium ColdFusion must limit the maximum number of CFC function requests.
V-62415 Medium ColdFusion must have Remote Adobe LiveCycle Data Management access disabled.
V-62417 Medium ColdFusion must have the WebSocket Service disabled.
V-62411 Medium ColdFusion must have Event Gateway Services disabled.
V-62419 Medium ColdFusion must have example data sources removed.
V-62385 Medium ColdFusion must send log records to the operating system logging facility.
V-62387 Medium ColdFusion must allocate log record storage capacity in accordance with organization-defined log record storage requirements.
V-62381 Medium The ColdFusion log information must be protected from any type of unauthorized deletion through the Administrator Console.
V-62383 Medium The ColdFusion log information must be protected from any type of unauthorized deletion by having file permissions set properly.
V-62389 Medium ColdFusion log records must be off-loaded onto a different system or media from the system being logged.
V-62369 Medium When ColdFusion is configured in a clustered configuration, ColdFusion must be configured to write log records from the clustered system components into a system-wide log trail that can be correlated.
V-62489 Medium ColdFusion must set a query timeout for Data Sources.
V-62483 Medium ColdFusion must not store user information in the server registry.
V-62481 Medium ColdFusion, when part of a mission critical system, must be in a high-availability (HA) cluster.
V-62485 Medium ColdFusion must limit the maximum number of Flash Remoting requests.
V-62403 Medium ColdFusion must protect software libraries from being changed by OS users.
V-62401 Medium ColdFusion must limit privileges, within the Administrator Console, to change the software resident within software libraries.
V-62405 Medium ColdFusion must only allow approved file extensions.
V-62409 Medium ColdFusion must disable the In-Memory File System.
V-62393 Medium The ColdFusion log information must be protected from any type of unauthorized read access by having file ownership set properly.
V-62391 Medium ColdFusion logs must, at a minimum, be transferred simultaneously for interconnected systems and transferred weekly for standalone systems.
V-62397 Medium The ColdFusion log information must be protected from any type of unauthorized deletion by having file ownership set properly.
V-62395 Medium The ColdFusion log information must be protected from any type of unauthorized modification by having file ownership set properly.
V-62399 Medium ColdFusion must limit applications from changing shared Java components.
V-62477 Medium ColdFusion must provide a clustering capability.
V-62475 Medium ColdFusion must set session cookies as browser session cookies.
V-62473 Medium ColdFusion must use J2EE session variables.
V-62471 Medium ColdFusion must enable UUID for session identifier generation.
V-62367 Medium ColdFusion must require each user to authenticate with a unique account.
V-62363 Medium ColdFusion must control user access to Exposed Services.
V-62361 Medium ColdFusion must control remote access to Exposed Services.
V-62465 Medium The ColdFusion Administrator Console must be hosted in a management sandbox.
V-62509 Medium ColdFusion must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.
V-62467 Medium ColdFusion must disable creation of unnamed applications.
V-62461 Medium Only authenticated system administrators or the designated PKI Sponsor for ColdFusion must have access to ColdFusions private key.
V-62463 Medium The ColdFusion Administrator Console must be hosted on a management network.
V-62503 Medium ColdFusion must limit the time-out for requests waiting in the queue.
V-62375 Medium The ColdFusion log information must be protected from any type of unauthorized read access through the Administrator Console.
V-62501 Medium ColdFusion must set a timeout for logins.
V-62377 Medium The ColdFusion log information must be protected from any type of unauthorized read access by having file permissions set properly.
V-62507 Medium ColdFusion must limit the maximum number of POST requests parameters.
V-62469 Medium ColdFusion must not allow application variables to be added to Servlet Context.
V-62349 Medium ColdFusion must use cryptography mechanisms to protect the integrity of data sent to the PDF Service.
V-62479 Medium ColdFusion must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
V-62451 Medium ColdFusion must authenticate users individually.
V-62453 Medium ColdFusion must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
V-62455 Medium ColdFusion must transmit only encrypted representations of passwords for Flex Integration.
V-62457 Medium The ColdFusion Administrator Console must transmit only encrypted representations of passwords.
V-62459 Medium ColdFusion must transmit only encrypted representations of passwords to the mail server.
V-62511 Medium ColdFusion must encrypt cookies.
V-62513 Medium ColdFusion must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
V-62515 Medium ColdFusion must encrypt patch retrieval.
V-62517 Medium ColdFusion must protect Session Cookies from being read by scripts.
V-62525 Medium The ColdFusion site-wide error handler must be valid.
V-62357 Medium ColdFusion must set a maximum session time-out value.
V-62355 Medium ColdFusion must automatically terminate a user session after user inactivity.
V-62521 Medium ColdFusion must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
V-62353 Medium ColdFusion must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
V-62523 Medium The ColdFusion missing template handler must be valid.
V-62359 Medium ColdFusion must control remote access to the Administrator Console.
V-62449 Medium ColdFusion must have example gateway instances removed.
V-62447 Medium ColdFusion must have example collections removed.
V-62443 Medium ColdFusion must have the Default ScriptSrc Directory set to a non-default value.
V-62441 Medium ColdFusion must have Sandboxes defined for application execution.
V-62537 Medium ColdFusion must have ColdFusion component (CFC) type checking enabled.
V-62535 Medium The ColdFusion error messages must be restricted to only authorized users.
V-62539 Medium ColdFusion must enable Global Script Protection.
V-62439 Medium ColdFusion must have Sandbox Security enabled.
V-62433 Medium ColdFusion must execute as a non-privileged user.
V-62431 Medium The ColdFusion Root Administrator account must have a unique username.
V-62437 Medium ColdFusion must protect newly created objects.
V-62435 Medium ColdFusion accounts with access to the Administrator Console must be approved.
V-62379 Medium The ColdFusion log information must be protected from any type of unauthorized modification by having file permissions set properly.
V-62371 Medium ColdFusion must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which logable events are to be logged.
V-62429 Medium ColdFusion must disable auto reloading of configuration files on file changes.
V-62541 Medium ColdFusion must remove software components after updated versions have been installed.
V-62421 Medium The ColdFusion built-in TomCat Web Server must be disabled.
V-62425 Medium ColdFusion must protect internal cookies from being updated by hosted applications.
V-62427 Medium ColdFusion must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.
V-62075 Low ColdFusion must limit concurrent sessions to the Administrator Console.
V-62505 Low ColdFusion must have a custom request queue time-out page.
V-62373 Low ColdFusion must log scheduled tasks.
V-62545 Low ColdFusion must have notifications enabled when a server update is available.
V-62543 Low ColdFusion must be set to automatically check for updates.